rule Linux_Gates
{

// Tencent is pleased to support the open source community by making HaboMalHunter available.
// Copyright (C) 2017 THL A29 Limited, a Tencent company. All rights reserved.
// Licensed under the MIT License (the "License"); you may not use this file except in 
// compliance with the License. You may obtain a copy of the License at
// 
// http://opensource.org/licenses/MIT
// 
// Unless required by applicable law or agreed to in writing, software distributed under the 
// License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, 
// either express or implied. See the License for the specific language governing permissions 
// and limitations under the License.

    meta:
        Author      = ""
        Date        = "2016/11/10"
        Description = "Linux/Gates malware"
        Reference   = "http://www.freebuf.com/articles/system/117823.html"
    strings:
        $s0 = "libamplify.so"
        $s1 = "AttackSyn"
        $s2 = "AttackDns"
        $elf = { 7f 45 4c 46 } //ELF 
    condition:
        $elf in (0..4) and all of ($s*)
}